Malicious Android software is becoming more sophisticated

Since the Android mobile operating system is one of the most common, attackers are constantly developing more and more new malware for this OS. In principle, software of this kind appears every day, and most programs do not deserve special mention. But there is adware, the principle of implementation and operation of which is very interesting (and for an inexperienced user it is very dangerous).

The adware in question is distributed in a way that has been fully tested by intruders: repacking normal applications from Twitter, Facebook or even Okta (two-factor authentication service). These Trojan apps are not downloaded to the Google Play directory, but to third-party resources / directories, many of which are also quite popular. From the point of view of the user who is trying to download some of the trojanized applications, everything is fine, while in many cases the program works as it should after installation. But during the installation on the victim's phone, a powerful Trojan application is installed that uses exploits to get root. Exploits found in three families of such applications (Shedun, Shuanet, and ShiftyBug) allow the malware to be installed as a system application with the corresponding status, which only system processes have.

"For ordinary users, getting such malware as Shedun, Shuanet, or ShiftyBug could mean going to the store for a new phone," said a spokesman for information security company Lookout, which is studying malware for Android. Indeed, the usual way to remove applications will not succeed - they have system priority, so nothing will help.
')
The attackers, according to experts, repack thousands of popular applications, then placing the infected programs on third-party download-resources. Repackaged software with the Trojans mentioned above was found on the websites of the USA, Germany, Iran, Russia, India, Jamaica, Sudan, Brazil, Mexico City, Indonesia. Information that infected applications hit the Google Play, yet.

Interestingly, each of these malicious programs uses a whole set of exploits for a number of the most popular mobile devices. For example, ShiftyBug is equipped with at least 8 different exploits.



Now, one of the varieties of the applications mentioned above has been able to download adware to the victim’s phone, even if he refuses to install by pressing the appropriate button. This program also belongs to the Shedun family, adware, which are distributed in the way already indicated above. The malware deceives the victim using the Android Accessibility Service . After installation on the phone, the program gets the opportunity to show pop-up ads with links to adware. Even if the user refuses to install, Shedun, using the Accessibility Service, installs adware.



According to information security experts, Shedun in this case does not use the service vulnerability. Instead, it uses quite legal features of Android. After permission to use the accessibility service, Shedun is able to read the text appearing on the display, determine what the application requests, view the list of permissions and independently press the installation button, and all this is done offline, without user intervention.

---

PS We conduct the second stage of the campaign specifically for Habr's readers. Post with the details here .